[tor-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 20 20:44:57 UTC 2017
#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: task | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-7.0-must, | Actual Points:
TorBrowserTeam201703, GeorgKoppen201703 |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:14 mcs]:
> Finally, here our our notes for Firefox 51 (we did not look at the
Firefox 52 changes yet):
>
> a) We should verify that `TypedArray.toLocaleString()` does not leak
locale information.
> https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/toLocaleString
There are other objects that have `toLocaleString()` as well, like `Array`
(https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/Array/toLocaleString) or
`Number` (https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/Number/toLocaleString). I
have a ticket for all of them: #21784.
> b) We should verify that the new `<input>` types do not leak locale
information, e.g., `<input type="time">`, `type="date"`, `type="week"`,
etc.
> https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input
Hm. The docs say these are not implemented yet and the linked bug
(https://bugzilla.mozilla.org/show_bug.cgi?id=888320) seems to second
that. What made you believe they are wrong?
> c) WebGL2 is enabled by default which may enable new fingerprinting
opportunities:
> https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API
This is #16404.
> d) HTTP Opportunistic Security may add some linkability risks, although
it seems okay at a glance.
> http://httpwg.org/http-extensions/opsec.html
> https://bugzilla.mozilla.org/show_bug.cgi?id=1301117
It seems that needs HTTP2/Alternative Services being enabled which is both
not the case for us?
> e) Do we want to disable Web Audio due to fingerprinting risks? Mozilla
keeps adding more functionality. Maybe this is already covered by #13017.
I think having this covered by #13017 seems okay for me. We should keep a
close eye on that one, though. FWIW: We got a pref to disable that in
https://bugzilla.mozilla.org/show_bug.cgi?id=1288359 (+ there is some
discussion on that bugs) we might want to use. I updated #13017
accordingly and flag it for closer ff52-esr scrutiny.
> f) There are some new Storage APIs that we should look at, e.g.,
> https://developer.mozilla.org/en-
US/docs/Web/API/StorageManager/estimate
> https://bugzilla.mozilla.org/show_bug.cgi?id=1267941
I have #21785 for that.
Additionally, I have
g) Check whether the Ambient Light Sensor event.value is properly rounded
off: #21786.
h) Make sure exposing the calendar information does not leak the locale:
#21787.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list